This is a post in a series where I complete every Flare-on challenge. The landing page for all of these posts can be found here
We start off with a PDF file in Challenge 4, I start off by dumping the contents of the streams using pdf-parser from Didier Stevens PDF-tools
pdf-parser.py -f APT9001.orig.pdf > apt5.txt
After copying it out and some manual de-obfuscation I find a block of what looks to be hex-encoded shellcode. I grabbed a script to decode it into a binary file to run and debug.
from binascii import unhexlify as unhx #encoded = open('encoded.txt').read() # The shellcode dump out = open('shellcode.bin', 'wb') encoded ="%u72f9%u4649%u1525%u7f0d%u3d3c%ue084%ud62a%ue139%ua84a%u76b9%u9824%u7378%u7d71%u757f%u2076%u96d4%uba91%u1970%ub8f9%ue232%u467b%u-SNIP-%u2454%u5740%ud0ff" for s in encoded.split('%'): if len(s) == 5: HI_BYTE = s[3:] LO_BYTE = s[1:3] out.write(unhx(HI_BYTE)) out.write(unhx(LO_BYTE)) out.close()
I took the binary code and loaded it in BlobRunner and attached x64dbg to it.
The first instruction sets the carry flag to 1, the following instruction JMPs to end the code if the CF flag is set, the JB instruction needs to be patched to a NOP or the CF set to 0 to keep running the code.
The code can be walked through until it loads the flag into the stack around offsec of +0x3c1 and it shows up in the register of ECX.
However, if you run the code until completion it shows up as junk in the message box that is displayed.
To get the flag to show up in the message box you need to NOP the look starting at +0x3ce before the CALL to EAX.
Now the flag shows up in the message box!